mirror of
https://github.com/project-zot/zot.git
synced 2025-01-13 22:50:38 -05:00
f618b1d4ef
* ci(deps): upgrade golangci-lint
Signed-off-by: Jan-Otto Kröpke <mail@jkroepke.de>
* build(deps): removed disabled linters
Signed-off-by: Jan-Otto Kröpke <mail@jkroepke.de>
* build(deps): go run github.com/daixiang0/gci@latest write .
Signed-off-by: Jan-Otto Kröpke <joe@cloudeteer.de>
* build(deps): go run golang.org/x/tools/cmd/goimports@latest -l -w .
Signed-off-by: Jan-Otto Kröpke <joe@cloudeteer.de>
* build(deps): go run github.com/bombsimon/wsl/v4/cmd...@latest -strict-append -test=true -fix ./...
Signed-off-by: Jan-Otto Kröpke <joe@cloudeteer.de>
* build(deps): go run github.com/catenacyber/perfsprint@latest -fix ./...
Signed-off-by: Jan-Otto Kröpke <joe@cloudeteer.de>
* build(deps): replace gomnd by mnd
Signed-off-by: Jan-Otto Kröpke <joe@cloudeteer.de>
* build(deps): make gqlgen
Signed-off-by: Jan-Otto Kröpke <joe@cloudeteer.de>
* build: Revert "build(deps): go run github.com/daixiang0/gci@latest write ."
This reverts commit 5bf8c42e1f
.
Signed-off-by: Jan-Otto Kröpke <joe@cloudeteer.de>
* build(deps): go run github.com/daixiang0/gci@latest write -s 'standard' -s default -s 'prefix(zotregistry.dev/zot)' .
Signed-off-by: Jan-Otto Kröpke <joe@cloudeteer.de>
* build(deps): make gqlgen
Signed-off-by: Jan-Otto Kröpke <joe@cloudeteer.de>
* fix: wsl issues
Signed-off-by: Jan-Otto Kröpke <joe@cloudeteer.de>
* fix: wsl issues
Signed-off-by: Jan-Otto Kröpke <joe@cloudeteer.de>
* fix: wsl issues
Signed-off-by: Jan-Otto Kröpke <joe@cloudeteer.de>
* fix: wsl issues
Signed-off-by: Jan-Otto Kröpke <joe@cloudeteer.de>
* fix: wsl issues
Signed-off-by: Jan-Otto Kröpke <joe@cloudeteer.de>
* fix: wsl issues
Signed-off-by: Jan-Otto Kröpke <joe@cloudeteer.de>
* fix: wsl issues
Signed-off-by: Jan-Otto Kröpke <joe@cloudeteer.de>
* fix: wsl issues
Signed-off-by: Jan-Otto Kröpke <joe@cloudeteer.de>
* fix: wsl issues
Signed-off-by: Jan-Otto Kröpke <joe@cloudeteer.de>
* fix: wsl issues
Signed-off-by: Jan-Otto Kröpke <joe@cloudeteer.de>
* fix: wsl issues
Signed-off-by: Jan-Otto Kröpke <joe@cloudeteer.de>
* fix: wsl issues
Signed-off-by: Jan-Otto Kröpke <joe@cloudeteer.de>
* fix: wsl issues
Signed-off-by: Jan-Otto Kröpke <joe@cloudeteer.de>
* fix: wsl issues
Signed-off-by: Jan-Otto Kröpke <joe@cloudeteer.de>
* fix: wsl issues
Signed-off-by: Jan-Otto Kröpke <joe@cloudeteer.de>
* fix: wsl issues
Signed-off-by: Jan-Otto Kröpke <joe@cloudeteer.de>
* fix: wsl issues
Signed-off-by: Jan-Otto Kröpke <joe@cloudeteer.de>
* fix: wsl issues
Signed-off-by: Jan-Otto Kröpke <joe@cloudeteer.de>
* fix: wsl issues
Signed-off-by: Jan-Otto Kröpke <joe@cloudeteer.de>
* fix: wsl issues
Signed-off-by: Jan-Otto Kröpke <joe@cloudeteer.de>
* fix: wsl issues
Signed-off-by: Jan-Otto Kröpke <joe@cloudeteer.de>
* fix: wsl issues
Signed-off-by: Jan-Otto Kröpke <joe@cloudeteer.de>
* fix: wsl issues
Signed-off-by: Jan-Otto Kröpke <joe@cloudeteer.de>
* fix: wsl issues
Signed-off-by: Jan-Otto Kröpke <joe@cloudeteer.de>
* fix: check-log issues
Signed-off-by: Jan-Otto Kröpke <joe@cloudeteer.de>
* fix: gci issues
Signed-off-by: Jan-Otto Kröpke <joe@cloudeteer.de>
* fix: tests
Signed-off-by: Jan-Otto Kröpke <joe@cloudeteer.de>
---------
Signed-off-by: Jan-Otto Kröpke <mail@jkroepke.de>
Signed-off-by: Jan-Otto Kröpke <joe@cloudeteer.de>
139 lines
3.9 KiB
Go
139 lines
3.9 KiB
Go
package common
|
|
|
|
import (
|
|
"crypto/tls"
|
|
"crypto/x509"
|
|
"net/http"
|
|
"os"
|
|
"path/filepath"
|
|
)
|
|
|
|
func GetTLSConfig(certsPath string, caCertPool *x509.CertPool) (*tls.Config, error) {
|
|
clientCert := filepath.Join(certsPath, ClientCertFilename)
|
|
clientKey := filepath.Join(certsPath, ClientKeyFilename)
|
|
caCertFile := filepath.Join(certsPath, CaCertFilename)
|
|
|
|
cert, err := tls.LoadX509KeyPair(clientCert, clientKey)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
caCert, err := os.ReadFile(caCertFile)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
caCertPool.AppendCertsFromPEM(caCert)
|
|
|
|
return &tls.Config{
|
|
Certificates: []tls.Certificate{cert},
|
|
RootCAs: caCertPool,
|
|
MinVersion: tls.VersionTLS12,
|
|
}, nil
|
|
}
|
|
|
|
func loadPerHostCerts(caCertPool *x509.CertPool, host string) *tls.Config {
|
|
// Check if the /home/user/.config/containers/certs.d/$IP:$PORT dir exists
|
|
home := os.Getenv("HOME")
|
|
clientCertsDir := filepath.Join(home, homeCertsDir, host)
|
|
|
|
if DirExists(clientCertsDir) {
|
|
tlsConfig, err := GetTLSConfig(clientCertsDir, caCertPool)
|
|
if err == nil {
|
|
return tlsConfig
|
|
}
|
|
}
|
|
|
|
// Check if the /etc/containers/certs.d/$IP:$PORT dir exists
|
|
clientCertsDir = filepath.Join(certsPath, host)
|
|
if DirExists(clientCertsDir) {
|
|
tlsConfig, err := GetTLSConfig(clientCertsDir, caCertPool)
|
|
if err == nil {
|
|
return tlsConfig
|
|
}
|
|
}
|
|
|
|
return nil
|
|
}
|
|
|
|
// Holds certificate options for an HTTP client.
|
|
type HTTPClientCertOptions struct {
|
|
ClientCertFile string // Holds the path to the client certificate file. Mandatory if ClientKeyFile is present.
|
|
ClientKeyFile string // Holds the path to the client key file. Mandatory if ClientCertFile is present.
|
|
RootCaCertFile string // Optional. Holds the path to the custom Root CA cert file.
|
|
}
|
|
|
|
// Holds client options for creating an HTTP client.
|
|
type HTTPClientOptions struct {
|
|
// Results in a client with TLS config if true.
|
|
TLSEnabled bool
|
|
|
|
// Results in a client without certificate config and TLS verification disabled if true.
|
|
// Note: if TLSEnabled is false and VerifyTLS is true, the client will not have the verification
|
|
// of insecure certificates set to false. For this, both TLSEnabled and VerifyTLS need to be
|
|
// true.
|
|
VerifyTLS bool
|
|
|
|
// The target host for the imminent connection. Used for loading host specific certificates if any.
|
|
Host string
|
|
|
|
// Certificate options for the client.
|
|
CertOptions HTTPClientCertOptions
|
|
}
|
|
|
|
func CreateHTTPClient(clientOptions *HTTPClientOptions) (*http.Client, error) {
|
|
htr := http.DefaultTransport.(*http.Transport).Clone() //nolint: forcetypeassert
|
|
|
|
// If TLS is not enabled, return the client without any further TLS config.
|
|
if !clientOptions.TLSEnabled {
|
|
return &http.Client{
|
|
Timeout: httpTimeout,
|
|
Transport: htr,
|
|
}, nil
|
|
}
|
|
|
|
if !clientOptions.VerifyTLS {
|
|
htr.TLSClientConfig = &tls.Config{InsecureSkipVerify: true} //nolint: gosec
|
|
|
|
return &http.Client{
|
|
Timeout: httpTimeout,
|
|
Transport: htr,
|
|
}, nil
|
|
}
|
|
|
|
// Add a copy of the system cert pool.
|
|
caCertPool, _ := x509.SystemCertPool()
|
|
|
|
// Add a custom CA cert if present in the options.
|
|
if clientOptions.CertOptions.RootCaCertFile != "" {
|
|
caCert, err := os.ReadFile(clientOptions.CertOptions.RootCaCertFile)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
caCertPool.AppendCertsFromPEM(caCert)
|
|
}
|
|
|
|
// Load certificates specific to the host if any.
|
|
tlsConfig := loadPerHostCerts(caCertPool, clientOptions.Host)
|
|
if tlsConfig == nil {
|
|
tlsConfig = &tls.Config{RootCAs: caCertPool, MinVersion: tls.VersionTLS12}
|
|
}
|
|
|
|
// Try to load certificate key pair if either are present in the options.
|
|
if clientOptions.CertOptions.ClientCertFile != "" || clientOptions.CertOptions.ClientKeyFile != "" {
|
|
cert, err := tls.LoadX509KeyPair(clientOptions.CertOptions.ClientCertFile, clientOptions.CertOptions.ClientKeyFile)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
tlsConfig.Certificates = append(tlsConfig.Certificates, cert)
|
|
}
|
|
|
|
htr.TLSClientConfig = tlsConfig
|
|
|
|
return &http.Client{
|
|
Transport: htr,
|
|
Timeout: httpTimeout,
|
|
}, nil
|
|
}
|